Free Malware Removal Forum

Welcome to MalwareRemoval.com,What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

I am having trouble removing some spyware, that brings popups, even when Internet explorer is Not open. I tried to clean system and here is what I did. The system is Windows XP Pro. The system did not have any antispyware running, but was upto date with Norton Antivirus. Did a full virus scan as well.

Turned of system restore

deleted all temp files, via properties, and then manually clearing out remaining, and deleted recycle bin

ran hijack just to see if I recognized the spyware from past cleans, did not.

User installed MSN toolbar, I removed it just to so I could see what entries remained afterwards.

Installed and updated both Spybot search and destroy 1.4 and latest Adaware

Re-booted in safe mode

ran both programs, Spybot only showed 2 what I think harmless ad softwares, and adaware removed a few others, and I also ran the ad stream option, and cleaned that. ( automatically )

Then I ran CWShredder, reported clean, and then ABOUTBLASTER, also reported clean

In HiJack I tried to remove the g.msn lines, but they keep returning. I looked into C\windows and C\windows\system32 to see if I could identify any spyware files ( exe or dll ) and I could not. ( I May just not have been able to recognized them, as often just by date and weird name its obvious )

So far I have been unable to remove the popups

they are often these sites
www219.paypopup.com
loadingwebsites.com
64.192.130.141
and some always ending *yyy65.html

I tried even adding these sites to restricted sites in explorer and that did not work.

So here is my final HIJACK log after all of this, as well as I printed a Tasks listing in case that helps!!

Cause I sure need HELP

I hope I have provided a detailed a good explanation of the situation, thanks to all who can help me!!!!!

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Note : Once the pc has restarted if a log does not appear or the icons didn't dissappear, run the "second.bat" located inside the L2mfix folder.

After the fix portion is done. Please run the option to restore the winlogon defaults (menu option 4) as most of the notify key is missing. After you do that post an option 1 log again.

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

To get your home page of choice use IE to get to your page and select from the menu, tool, internet option, set to current.

One thing you should check is if the recycle bin is working correctly - if not post back for some more instructions.

===================

This is my normal post for when you are clear - which you now are - or seem to be. Please advise of any problems you still have :-

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to enable and re enable system restore here: Managing Windows Millennium System Restoreor Windows XP System Restore Guidere-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialise and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs: Computer Safety On line - Anti-Virus

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below: Computer Safety On line - Software Firewalls

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here: Instructions for - Spybot S & D and Ad-aware

Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here: Instructions for - Spybot S & D and Ad-aware

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here: Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Ok, it appears the pops up are gone, however a few remaining problems, as you mentioned, there is a problem with the the recylce bin, there was one item there ( a string of letters and numbers ) and I can not empty the bin.

Second, I removed the items in Hijack as you said, however everytime I re-boot, teatimer on boot up keeps advising me that it is deleting these entries again. When I check they are not there, but I am wondering if this means something is trying to add them back again.

I will post the latest HIJACK log so you can see, but when I try and delete this line, it keeps re-appearing on a re-boot.

I also adjusted Internet explorer settings as per you default post, and I have one small question, when going to safe sites, like Microsoft, or Hotmail, I keep getting dialog boxes asking , yes or no, to active X scripts. As its happening often, is there anyway to add sites to a safe list as the dialog box comes up almost as often as Popups. Just curious.

Unless you do have something hidden that is reinstalling those lines, very unlikely as the lines in question are not related to known BAD malware, just slightly bad, I think this is teatimer doing its thing, and has happened before.

My suggestion is to reset teatimer so that it can restart with a known good status. One method would be to uninstall and reinstall the program and is the method I usually advise.

While uninstalled use HJT to remove the R0/R1 lines and that orphaned O2.

Thanks Chris, I looked at the link, not sure its exactly my problem as it says it restores the desktop icon, so it didnt exactly detail my problem. I think I will leave it for now, so we can close this out, I kept the link, and I will keep reading here, and see if there are other links for the exact problem. ( Unless you think its safe to run this one and try anyway ) The main thing is I have the system running again!!

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted

Who is online

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.